Re: RFC: Handling of certificates in Debian

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Sat, 31 Aug 2002, Brian May wrote:
> On Sat, Aug 31, 2002 at 12:18:04AM +0100, Andrew McDonald wrote:
> > Even the hostname check can be problematic - does the user really need
> > to accept the certificate every time because the name doesn't match?
> 
> I think the issue is this: if no hostname check is done, how to you know

If no hostname check is done, it is a security bug.  If no server and client
certificate checks are done (and implemented), it is a security bug.

> (note that I really like this realiance on checking the hostname, for
> instance it doesn't work properly with virtual name domains under https,
> but it somehow seems to have become the defacto default, and we seem to
> be stuck with it for now).

It can, if the !@#$@#$ browsers implement the altName extension.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh